b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n      Transportation Security Administration \n\n              Privacy Stewardship \n\n\n\n\n\nOIG-09-97                                August 2009\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                      August 28, 2009\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the Transportation Security Administration\xe2\x80\x99s plans and activities to\ninstill and promote an effective culture of privacy in compliance with federal privacy\nlaws and regulations. It is based on interviews with employees and officials of relevant\nagencies and institutions, direct observations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n\nBackground ..........................................................................................................................2\n\nResults of Audit ...................................................................................................................5\n\n\n     Commitment to Privacy .................................................................................................5 \n\n     Policies on the Proper Handling of Personally Identifiable Information.......................7 \n\n     Compliance With Federal Privacy Laws and Regulations ............................................7 \n\n     Established Processes for Notice, Complaints, and Redress for Individuals...............12 \n\n     Privacy Awareness and Training .................................................................................14 \n\n     Improvements to Privacy Effectiveness.......................................................................15 \n\n\n     Recommendations........................................................................................................18 \n\n     Management Comments and OIG Analysis ................................................................18 \n\n\nFigures\n     Figure 1:              TSA\xe2\x80\x99s Purposes for Personally Identifiable Information ......................2 \n\n     Figure 2:              DHS Privacy Framework ......................................................................3 \n\n     Figure 3:              Organizational Committee to Privacy ...................................................5 \n\n     Figure 4:              Privacy Compliance Management.........................................................8 \n\n     Figure 5:              Notice, Complaints, and Redress for Individuals................................12 \n\n     Figure 6:              TSA Privacy Initiatives .......................................................................14 \n\n     Figure 7:              Improvements to Privacy Awareness and Training ............................17 \n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................19 \n\n     Appendix B:           Management Comments to the Draft Report .......................................20 \n\n     Appendix C:           Programs Reviewed During This Audit...............................................23 \n\n     Appendix D:           Cross Reference of DHS Privacy Framework With Component \n\n                           Privacy Officer Duties .........................................................................24 \n\n     Appendix E:           Cross Reference of DHS Privacy Framework With Criteria Applied to \n\n                           TSA Privacy Stewardship ....................................................................25 \n\n     Appendix F:           Fair Information Practice Principles ....................................................27 \n\n     Appendix G:           TSA Culture of Privacy Survey ...........................................................28 \n\n     Appendix H:           Laws, Regulations, Directives, and Guidance Related to TSA Privacy \n\n                           Stewardship..........................................................................................29 \n\n     Appendix I:           Major Contributors to This Report ......................................................30 \n\n     Appendix J:           Report Distribution ..............................................................................31 \n\n\nAbbreviations\n     DHS                   Department of Homeland Security \n\n     DHS TRIP              DHS Traveler Redress Inquiry Program\n\n     FIPPs                 Fair Information Practice Principles \n\n\x0cTable of Contents/Abbreviations\n\n  FISMA \t    Federal Information Security Management Act\n  IT        \tinformation technology\n  OIG \t      Office of Inspector General\n  OMB \t      Office of Management and Budget\n  OPPC \t     Transportation Security Administration, Office of Privacy Policy and\n            Compliance\n  PII \t      personally identifiable information\n  PIA \t      Privacy Impact Assessment\n  PTA \t      Privacy Threshold Analysis\n  SORN \t     System of Records Notice\n  TSA       \tTransportation Security Administration\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                 We performed an audit of the Transportation Security\n                 Administration\xe2\x80\x99s (TSA) privacy stewardship. Our audit objective\n                 was to determine whether TSA\xe2\x80\x99s plans and activities instill and\n                 promote a privacy culture and comply with federal privacy laws\n                 and regulations. As part of this audit, we surveyed 2,285 TSA\n                 employees on their knowledge of the Privacy Act, the proper\n                 handling of personally identifiable information, privacy incident\n                 response, and privacy stewardship. The results of this survey are\n                 discussed throughout the report. Appendix A provides our\n                 purpose, scope, and methodology.\n\n                 TSA has made progress in implementing a framework that\n                 promotes a privacy culture and complies with federal privacy laws\n                 and regulations. Specifically, TSA demonstrated its organizational\n                 commitment to privacy by designating the Office of Privacy Policy\n                 and Compliance (OPPC) to oversee its privacy functions. In\n                 addition, OPPC is strengthening TSA\xe2\x80\x99s culture of privacy through\n                 coordination with managers of programs and systems that contain\n                 personally identifiable information to meet reporting requirements,\n                 perform privacy risk impact assessments, prepare public\n                 notifications of systems of records, and enforce privacy rules of\n                 conduct. Further, OPPC has established processes for reviewing\n                 and reporting privacy incidents, issuing public notices, addressing\n                 complaints and redress for individuals, and implementing and\n                 monitoring privacy training for employees.\n\n                 TSA can improve its privacy program by implementing automated\n                 privacy-specific tools for testing and monitoring. Further, TSA\n                 can implement approaches to provide supplemental and job-\n                 specific privacy awareness or training activities. We are making\n                 two recommendations to the TSA Administrator to strengthen the\n                 privacy program.\n\n\n\n\n               Transportation Security Administration Privacy Stewardship\n\n                                        Page 1\n\x0cBackground\n               The Privacy Act of 1974, as amended, imposes various\n               requirements on agencies whenever they collect, use, or\n               disseminate personally identifiable information (PII).\n               Additionally, federal laws, regulations, directives, and guidelines\n               set the minimum standards and procedures for handling PII.\n               Appendix H lists some requirements specific to TSA privacy\n               stewardship.\n\n               TSA facilitates the security and freedom of movement of the\n               nation\xe2\x80\x99s air, surface, and maritime transportation systems. This\n               requires coordinating or overseeing the security of highways,\n               buses, mass transit systems, railroads, pipelines, ports, and\n               approximately 450 U.S. airports. More than 40,000 TSA\n               employees stationed throughout the world interact daily with the\n               public or collect, use, and disseminate PII about the public. In\n               2009, for example, TSA implemented the Secure Flight program\n               which will eventually require a substantial volume of PII to screen\n               airline passengers. According to the U.S. Department of\n               Transportation\xe2\x80\x99s Bureau of Transportation Statistics, U.S. airlines\n               carried 649.9 million domestic passengers on 9.3 million flights in\n               2008.\n\n               TSA defines PII as any information that permits the identity of an\n               individual to be directly or indirectly inferred, including any\n               information that is or can be linked to that individual, regardless of\n               whether the individual is a U.S. citizen, legal permanent resident,\n               or a visitor to the United States. Figure 1 shows the purposes for\n               which TSA collects PII for 10 TSA programs that we reviewed\n               during this audit.\n\n                   TSA\xe2\x80\x99s PURPOSES FOR PERSONALLY IDENTIFIABLE INFORMATION\n                                                   Examples\n                                 THREAT ASSESSMENT & CREDENTIALING\n                    \xef\xbf\xbd   Perform security threat assessments: alien flight students; airline crew\n                        members; aviation travelers; hazardous material drivers\n                    \xef\xbf\xbd   Confirm identity of national transportation system workers via biometric\n                        credential\n                    \xef\xbf\xbd   Screen cargo transported by passenger aircraft\n                                             LAW ENFORCEMENT\n                    \xef\xbf\xbd   Protect flight deck against acts of criminal violence or air piracy\n                    \xef\xbf\xbd   Share transportation security intelligence with federal, state, and local\n                        law enforcement\n                                                       REDRESS\n                    \xef\xbf\xbd   Provide a one-stop mechanism for individual redress\n               Figure 1. TSA\xe2\x80\x99s Purposes for Personally Identifiable Information\n               Source: OIG Analysis of Privacy Impact Assessments and System of Records Notices\n               for 10 PII programs. (See appendix C for details on these programs.)\n\n\n\n\n             Transportation Security Administration Privacy Stewardship \n\n\n                                       Page 2\n\n\x0c                           The Department of Homeland Security (DHS) Privacy Office\n                           promotes the growth of privacy programs within the DHS\n                           components as a means of addressing privacy. Further, the DHS\n                           Privacy Office is implementing a privacy framework that\n                           establishes the roles and responsibilities for component privacy\n                           offices. Figure 2 illustrates the DHS privacy framework.\n\n\n\n\n                           Figure 2. DHS Privacy Framework\n                           Source: DHS Privacy Office\n\n\n                           Privacy stewardship includes establishing privacy requirements\n                           prior to program initiation, performing privacy risk assessments\n                           and mitigation, and integrating privacy safeguards into program\n                           operations. Responsible stewardship of PII through each of the\n                           functional areas of an agency privacy program is fundamental to\n                           instilling a culture of privacy.1 Promotion of an effective culture\n                           of privacy leads to embedded shared attitudes, values, goals, and\n                           practices for complying with the proper handling of PII and the\n                           recognition that the public and employees should have protections\n                           of how their PII is used.\n\n                           The Fair Information Practice Principles (FIPPs) are a set of\n                           principles, rooted in the tenets of the Privacy Act, that form the\n                           basis of TSA\xe2\x80\x99s privacy compliance policies and procedures for\n1\n A privacy program is a comprehensive approach to managing privacy compliance and risk in DHS programs and\nactivities. (Adapted from NIST Special Publication 800-39, Managing Risk from Information Systems: An\nOrganizational Perspective, April 2008.)\n\n\n\n                         Transportation Security Administration Privacy Stewardship\n\n                                                    Page 3\n\x0c                             governing the use of PII.2 Also part of the privacy framework are\n                             five functional areas that promote a culture of privacy and\n                             compliance with legal requirements. (See appendix D for\n                             component privacy officer duties and appendix E for legal\n                             requirements, including TSA directives, that relate to these\n                             functional areas.)\n\n                                  \xef\xbf\xbd    Organizational Commitment to Privacy: Establish\n                                       organizational oversight and implement privacy activities.\n                                  \xef\xbf\xbd    Policies for Proper Handling of PII: Define and promote\n                                       privacy policies and procedures.\n                                  \xef\xbf\xbd    Privacy Compliance Management: Implement tools and\n                                       processes to ensure privacy compliance (including\n                                       reporting requirements, privacy impact assessments,\n                                       systems of records notices, privacy incident handling, and\n                                       privacy rules of conduct).\n                                  \xef\xbf\xbd    Notice, Complaints, and Redress for Individuals:\n                                       Establish processes for notices, complaints, and redress for\n                                       individuals.\n                                  \xef\xbf\xbd    Privacy Awareness and Training: Support privacy\n                                       requirements through privacy awareness and training.\n\n\n\n\n2\n  DHS Privacy Office, Privacy Policy Guidance Memorandum 2008-01, December 29, 2008, adopted the Fair\nInformation Practice Principles as its privacy policy framework for application by DHS programs and activities. (See\nappendix F for descriptions of each of the principles.)\n\n\n\n                          Transportation Security Administration Privacy Stewardship\n\n                                                       Page 4\n\x0cResults of Audit\n     Commitment to Privacy\n          TSA has an organizational commitment to privacy stewardship. Figure 3\n          illustrates three factors indicating TSA\xe2\x80\x99s commitment to privacy that\n          include the designation of a privacy point of contact for oversight,\n          development of internal privacy stewards, and managers promoting\n          privacy compliance.\n\n\n\n\n          Figure 3. Organizational Commitment to Privacy\n          Source: OIG analysis from TSA documentation.\n\n\n          Designation of a Privacy Point of Contact\n\n          In 2004, confronted with privacy challenges from collecting large volumes\n          of PII, TSA appointed a privacy officer to address privacy issues and\n          issued guidance to employees and managers regarding their responsibility\n          to respect and protect privacy. The goals were to instill and promote a\n          culture of privacy throughout TSA\xe2\x80\x99s operations, and to protect and respect\n          the privacy of individuals affected by TSA\xe2\x80\x99s transportation activities.\n\n          In 2006, TSA designated the director of the Office of Privacy Policy and\n          Compliance (OPPC) to assume TSA\xe2\x80\x99s privacy function. To assist in\n          creating a privacy program, TSA added two staff with privacy-related\n          experience and certifications to OPPC. TSA also added a program-level\n          privacy contact for Secure Flight and embedded four privacy specialists\n          into its operation.\n\n          OPPC coordinates and oversees privacy protections according to TSA\n          Management Directive 2100.2, Privacy and Information Collection\n          Policy, by taking a service-oriented approach to working with TSA\n          personnel and setting a goal to acknowledge inquiries within 24 hours. As\n          a measure of OPPC\xe2\x80\x99s outreach, 92% of surveyed employees indicated that\n          they are aware of OPPC\xe2\x80\x99s presence and roles; 82% of surveyed employees\n          consider privacy to be important.\n\n\n                Transportation Security Administration Privacy Stewardship\n\n                                          Page 5\n\x0cAlso, OPPC reaches out to external groups to gather information,\nimproves agency visibility as a privacy leader, and promotes\norganizational involvement in privacy efforts, participation on privacy-\nrelated boards, presentations at conferences, and sharing of best practices.\nFurther, OPPC participates on the DHS Privacy Office\xe2\x80\x99s committees, such\nas DHS best practices and privacy contract clauses.\n\nDevelopment of Internal Privacy Stewards\n\nOPPC is responsible for monitoring TSA compliance with privacy law and\ninstilling a culture of privacy. However, since OPPC has a small staff,\ndeveloping privacy stewards within TSA can multiply the effectiveness of\nOPPC\xe2\x80\x99s privacy awareness and outreach. Privacy stewards are individuals\noutside OPPC who promote compliance with privacy requirements and\nsupport a culture of privacy at job-specific levels. Progress has been made\nin developing privacy stewards by implementing privacy awareness\nactivities and reaching groups within TSA; 45% of surveyed employees\nconsider themselves privacy stewards.\n\nWorking with internal groups is one way OPPC promotes the concept that\neveryone in TSA is responsible for privacy. OPPC participates in various\nmeetings and integrated program teams and provides guidance on the\nprivacy implications and interpretation of privacy criteria. Program and\nsecurity managers told us that they regularly contact OPPC for privacy\nassistance and guidance.\n\nOPPC interacts with privacy stewards to gain a better understanding of\nprivacy risk in mission-related programs and how these risks relate to the\noverall level of TSA\xe2\x80\x99s commitment to privacy. The development of an\norganization-wide cadre of privacy stewards is important in helping\nemployees who handle PII to understand that PII is a critical data asset\nthat must be fully aligned with program objectives.\n\nManagers Promoting Privacy\n\nManagers promote privacy to ensure that anyone entrusted with PII\nproperly uses, protects, and disposes of PII. TSA program managers and\nsupervisors take a proactive approach to privacy stewardship. For\nexample, some program managers maintain standard operating procedures\non employing proper PII handling. In compliance with TSA Management\nDirective 3700.4, Handling Sensitive Personally Identifiable Information,\nsupervisors remind employees about proper PII handling and hold\nthemselves and their workforce accountable.\n\n\n\n     Transportation Security Administration Privacy Stewardship\n\n                              Page 6\n\x0cPolicies on the Proper Handling of Personally Identifiable\nInformation\n      As required by TSA Management Directive 3700.4, OPPC issues policies\n      and procedures to define privacy compliance and promote its overall\n      privacy mission. Management communicates its views and requirements\n      to employees through internal privacy policies and procedures. OPPC\n      publishes these privacy policies and guidance on its intranet site. Almost\n      75% of surveyed employees who collect, handle, view, or maintain PII\n      said that they look for privacy policies and procedures on the intranet\n      privacy website.\n\n      OPPC issued TSA Management Directive 3700.4 to describe privacy\n      requirements and provide examples of what would be considered privacy\n      incidents. OPPC\xe2\x80\x99s guidance on privacy incident reporting is consistent\n      with Office of Management and Budget (OMB) and DHS Privacy Office\n      requirements. Almost 80% of surveyed employees were able to identify a\n      privacy incident correctly from a list of five examples. Nearly 95% of\n      surveyed employees said that they knew the reporting procedures for\n      suspected privacy incidents.\n\n      TSA Management Directive 3700.4 also explains how employees can\n      implement methods for handling sensitive PII and requires TSA\n      employees to review their responsibilities annually to comply with the\n      Privacy Act and DHS and TSA privacy policies. Almost 80% of surveyed\n      employees demonstrated knowledge by correctly identifying the\n      requirements of the Privacy Act and TSA privacy policies.\n\n      DHS 4300A, Sensitive Systems Handbook, requires TSA to provide a\n      security and privacy statement at every publicly accessible electronic entry\n      point and display a warning banner on its intranet. TSA has external\n      privacy notices and internal network banners to provide pertinent\n      information to the public and to remind employees of the importance of\n      their responsibilities for privacy compliance. OPPC reviews these\n      statements and banners for compliance with privacy requirements.\n\nCompliance With Federal Privacy Laws and Regulations\n      TSA Management Directive 2100.2 establishes OPPC\xe2\x80\x99s responsibility for\n      an internal privacy management program to ensure that all PII gathered\n      under the Privacy Act is handled properly. OPPC executes plans and\n      activities to comply with federal privacy laws, directives, and the FIPPs.\n      For example, OPPC assists TSA program managers in integrating FIPPs\n      into their programs that require PII.\n\n\n\n           Transportation Security Administration Privacy Stewardship\n\n                                    Page 7\n\x0c                   Figure 4 shows five areas for privacy compliance management in which\n                   program managers and supervisors participate. As a measure of OPPC\xe2\x80\x99s\n                   effectiveness in cultivating an understanding of the various legal\n                   requirements in dealing with PII, all 20 managers of the programs we\n                   reviewed were able to articulate the privacy requirements for these areas.\n                   We address OPPC\xe2\x80\x99s efforts to ensure legal compliance in the following\n                   sections.\n\n\n\n\n                   Figure 4. Privacy Compliance Management\n                   Source: DHS Privacy Office\n\n                   Privacy Impact Assessment\n\n                   The E-Government Act of 2002 requires agencies to conduct Privacy\n                   Impact Assessments (PIA) for information systems undergoing a\n                   certification and accreditation that collect, maintain, or disseminate PII.3\n                   TSA follows a two-part process for identifying and assessing information\n                   technology systems that collect or maintain PII.\n\n                   During the first part of this process, managers complete a Privacy\n                   Threshold Analysis (PTA), which includes a description of the system,\n                   what PII, if any, is collected or used, and from whom. OPPC provides\n                   guidance and assistance to the managers regarding the development and\n                   preparation of the PTA, and approval of new or enhanced programs that\n                   may have privacy implications. OPPC forwards the completed PTA to the\n                   DHS Privacy Office to assist in identifying programs in DHS that use PII,\n                   evaluating changes to existing systems, determining the need for a PIA,\n                   and determining whether an existing System of Records Notice (SORN)\n                   will cover the new or enhanced program.4\n\n\n\n3\n  The PIA requirement of the E-Government Act has been extended by Office of Management and Budget\nMemorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated\nSeptember 26, 2003, to include technology that predates the Act if that technology has since undergone a significant\nchange.\n4\n  The SORN is published in the Federal Register. A system of records is a group of any records about an individual\nunder agency control from which information is retrieved by that individual\xe2\x80\x99s name, identifying number, symbol, or\nother identifying particular assigned to the individual. (5 U.S.C. \xc2\xa7 552a(a)(5); TSA Management Directive 2100.2.)\n\n\n\n                           Transportation Security Administration Privacy Stewardship\n\n                                                        Page 8\n\x0cDuring the second part of the process, managers complete a PIA to\nidentify and assess privacy risks as precursors to determine what level of\nprotections or controls are required to mitigate risks to PII. OPPC assists\nin the review of the proposed data elements to identify opportunities for\nPII minimization during the conduct of new and existing PIAs. The PIA\nincludes the identification and analysis of the proposed collection\nmethodology, analytical uses of data, privacy risks, and methods to\nmitigate risks. Almost 82% of surveyed managers indicated that they\nunderstand the PIA process and requirements.\n\nOPPC reviews the completed PIAs, makes updates, and forwards\ndocumentation to the DHS Privacy Office. Once reviewed and approved\nby the DHS Privacy Office, unclassified PIAs are published in the Federal\nRegister and on the DHS Privacy Office\xe2\x80\x99s internet website.\n\nAs required by the E-Government Act, TSA maintains an electronic\ninventory of 75 PII systems as of October 2008. To keep the PII\ninventory current, OPPC provides oversight of collection, use,\ndissemination, and maintenance of PII at TSA by scheduling annual\ndiscussions with program and system managers. (See appendix C for\ninformation regarding PIAs for the 10 PII programs that we reviewed.)\nOPPC formalized an annual review process as another analytical layer in\nTSA\xe2\x80\x99s PII review. This process requires written responses to standardized\nquestions regarding the status of the PIA and SORN. Further, this process\nis intended to stimulate thinking about the FIPPs and privacy safeguards\nand identify key discussion items and areas for further review.\n\nSystem of Records Notice\n\nThe Privacy Act mandates that agencies publish a SORN when they\nmaintain PII in a system of records. The SORN explains how the public\ncan exercise rights granted through the Privacy Act regarding the PII in\nthat system of records. OPPC provides guidance and assistance to\nmanagers regarding the development and approval of systems of records.\nAlmost 74% of surveyed managers and employees demonstrated\nknowledge of SORNs. (See appendix C for information regarding SORNs\nfor the 10 PII programs that we reviewed.)\n\nFurther, OPPC reviews compliance with public notice requirements for\nsystems of records or exemptions through the established process of\nreviewing PIAs and SORNs. The Privacy Act allows government\nagencies to exempt certain records from the access and amendment\nprovisions. If an agency claims an exemption, it must issue a Notice of\nProposed Rulemaking to explain why a particular exemption is claimed.\n\n\n\n\n     Transportation Security Administration Privacy Stewardship\n\n                              Page 9\n\x0c                   All of TSA\xe2\x80\x99s Privacy Act exemptions are published in the Federal\n                   Register and on the DHS Privacy Office internet website.\n\n                   Privacy Incident Handling\n\n                   DHS Action Memorandum, Designation of Component Level Privacy\n                   Officers, dated May 3, 2007, establishes that component-level privacy\n                   officers are the points of contact to handle privacy incident response.5\n                   TSA Management Directive 3700.4 establishes TSA\xe2\x80\x99s processes for\n                   reporting a privacy incident, detecting and minimizing the loss of privacy\n                   data, and notifying appropriate parties as required by the DHS Privacy\n                   Office\xe2\x80\x99s Privacy Incident Handling Guidance. Periodically, OPPC\n                   broadcasts messages with reminders that each employee controls the first\n                   step in preventing privacy violations.\n\n                   OMB M-07-16 requires agencies to report all incidents involving PII to\n                   the United States Computer Emergency Readiness Team within an hour of\n                   the incident\xe2\x80\x99s discovery.6 TSA had already established a core breach\n                   response group in January 2007 as recommended by OMB Memorandum,\n                   Recommendations for Identity Theft Related Data Breach Notification,\n                   dated September 20, 2006. Further, as required by DHS Privacy Office\xe2\x80\x99s\n                   Privacy Incident Handling Guidance, OPPC reports suspected privacy\n                   incidents after reviewing them. TSA inspectors investigate the incidents,\n                   as necessary.\n\n                   TSA complies with the OMB M-07-16 requirement for agencies to\n                   develop a notification policy and plan. As part of the notification\n                   procedures, OPPC follows an internal review process to evaluate the\n                   reasonable risk of harm associated with the incident to the affected\n                   individuals, and then issues notices to affected individuals, as appropriate.7\n                   As a best practice, the DHS Privacy Office adopted OPPC\xe2\x80\x99s template for\n                   providing notification of a privacy incident as the model for all DHS\n                   components.\n\n\n\n\n5\n  A privacy incident results from the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, \n\nunauthorized access, or any similar term referring to situations where persons other than authorized users, and for an \n\nother than authorized purpose, have access or potential access to PII in usable form, whether physical or electronic. \n\nThe term encompasses both suspected and confirmed incidents involving PII that raise a reasonable risk of harm. \n\n(DHS Privacy Office, Privacy Incident Handling Guidance, \xc2\xa7 2.4.11.) \n\n6\n  The United States Computer Emergency Readiness Team (US-CERT), a partnership between public and private \n\nsectors, also coordinates DHS incident response activities. \n\n7\n  Reasonable risk of harm refers to a likelihood that an individual on whom information is maintained may experience a \n\nsubstantial harm, embarrassment, inconvenience, or unfairness. (DHS Privacy Office, Privacy Incident Handling \n\nGuidance, \xc2\xa7 2.4.13.)\n\n\n\n\n                          Transportation Security Administration Privacy Stewardship\n\n                                                       Page 10\n\x0c                   Reporting Compliance\n\n                   As required by OMB M-06-20, FY 2006 Reporting Instructions for the\n                   Federal Information Security Management Act [(FISMA)] and Agency\n                   Privacy Management, OPPC provides updated information\xe2\x80\x94including\n                   incident response\xe2\x80\x94to the DHS Privacy Office on its privacy management\n                   program as part of the overall reporting to OMB.8 Congress and OMB\n                   review these results to evaluate agency-specific and government-wide\n                   security and privacy performance. In addition to its system security\n                   requirements, FISMA directs agencies to identify privacy risks intrinsic to\n                   each of its systems, develop ways to mitigate those risks, and report results\n                   of ongoing system assessments to OMB.\n\n                   Privacy requirements and security controls are in different program areas\n                   within TSA. Therefore, OPPC consults with program officials, the chief\n                   information security officer, and information system security managers to\n                   review all circumstances that may reveal weaknesses in the privacy\n                   program for which remedial action, additional training, or development of\n                   internal guidance or policy may be appropriate.\n\n                   Privacy Rules of Conduct\n\n                   The Privacy Act requires privacy rules of conduct for persons involved in\n                   the design, development, operation, or maintenance of any system of\n                   records.9 OMB M-07-16, Safeguarding Against and Responding to the\n                   Breach of Personally Identifiable Information, underscores the importance\n                   of privacy rules of conduct and the adoption of penalties for\n                   noncompliance. TSA disseminates its rules of privacy conduct and\n                   consequences to all employees and contractors involved with PII.\n\n                   As required by the Privacy Act, TSA Management Directive 3700.4,\n                   Handling Sensitive Personally Identifiable Information, identifies\n                   responsibilities of TSA employees and requires their compliance with the\n                   Privacy Act and all DHS and TSA policies and regulations. This directive\n                   requires TSA supervisors to ensure that subordinates annually review their\n                   responsibilities in relation to the privacy policies and rules. TSA\n                   Management Directive 1100.73-5, Employee Responsibilities and\n                   Conduct, requires protection of information. Also, these rules of conduct\n                   are provided during the required online annual training. Some TSA\n                   programs require the acceptance of rules of privacy conduct prior to\n                   access to computers.\n8\n  OMB Memorandum 06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act \n\nand Agency Privacy Management, dated July 17, 2006, provides reporting instructions for any physical or electronic \n\nincidents involving the loss of or unauthorized access to PII. \n\n9\n  Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a (e)(9) (Establish Rules of Conduct.)\n\n\n\n\n                          Transportation Security Administration Privacy Stewardship\n\n                                                       Page 11\n\x0c                      DHS Management Directive 0470.2, Privacy Act Compliance, requires\n                      that employees be advised of the possible consequences for violations of\n                      the Privacy Act. OPPC\xe2\x80\x99s goal is to ensure that the workforce understands\n                      the data it handles and the consequences for privacy policy violation.\n                      Almost 86% of surveyed employees indicated that they understand that\n                      there are penalties for violating the Privacy Act.\n\n                      In response to a violation of TSA\xe2\x80\x99s rules of conduct, supervisors execute\n                      remedial, corrective, or preventative actions. When notified of privacy\n                      violations, OPPC follows up with supervisors to ensure that corrective\n                      action, such as retraining or issuing letters of counseling, is taken. When\n                      OPPC finds a systemic issue, it improves awareness through broadcast\n                      messages or training. Also, OPPC recommends disciplinary action. For\n                      example, when an individual broadcast PII to all persons in the office,\n                      although only one staff member needed to know such information, the\n                      violator was required to receive additional training on privacy information\n                      handling and was issued a letter of reprimand.\n\n            Established Processes for Notice, Complaints, and Redress for\n            Individuals\n                      Three privacy-related processes engage individual members of the public.\n                      As indicated in Figure 5, these processes address notice, complaints, and\n                      redress.\n\n\n\n\n                      Figure 5. Notice, Complaints, and Redress for Individuals\n                      Source: DHS Privacy Office\n\n\n                      Processes for Notice for Individuals\n\n                      The Privacy Act requires agencies to protect individuals by ensuring that\n                      personal information collected by federal agencies is limited to that which\n                      is legally authorized and necessary and is maintained in a manner that\n                      precludes unwarranted intrusions upon individual privacy.10 TSA\n\n10\n     Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a (e)(3) (Privacy Act Statement.)\n\n\n\n                             Transportation Security Administration Privacy Stewardship\n\n                                                         Page 12\n\x0c                    provides a Privacy Act statement to all persons asked to provide personal\n                    information about themselves that will go into a system of records. OPPC\n                    reviews all TSA Privacy Act statements for compliance with the Privacy\n                    Act. DHS 4300A, Sensitive Systems Handbook, requires that DHS\n                    components present a security and privacy statement at every publicly\n                    accessible electronic entry point to agency websites. OPPC reviews the\n                    security and privacy statements before they are published on TSA\xe2\x80\x99s\n                    internet websites.\n\n                    Processes for Complaints for Individuals\n\n                    Section 803 of the Implementing Recommendations of the 9/11\n                    Commission Act of 2007 established additional privacy reporting\n                    requirements for DHS regarding reviews and complaints. For the\n                    purposes of reporting, complaints are written allegations of harm or\n                    violation of privacy compliance requirements filed with the DHS Privacy\n                    Office or TSA.11 After addressing the privacy complaints or issues, OPPC\n                    forwards this information to the DHS Privacy Office in its quarterly\n                    reporting. Information on privacy complaints is available for public view\n                    on the DHS Privacy Office internet website.\n\n                    TSA publishes information on how the public can issue a complaint or\n                    request redress (including correction) on its internet websites. As required\n                    by the Implementing Recommendations of the 9/11 Commission Act of\n                    2007 \xc2\xa7 803, TSA categorizes complaints as follows: (1) process and\n                    procedure issues, such as consent, appropriate notice at the time of\n                    collection, notices provided in the Federal Register, rules, or SORNs;\n                    (2) operational issues related to general privacy concerns and concerns not\n                    related to transparency or redress; (3) referrals to another federal agency\n                    or appropriate organization; or (4) redress issues related to appropriate\n                    access, correction, and redress, excluding the Freedom of Information Act\n                    and Privacy Act requests for access.12 For the first three categories, OPPC\n                    is a point of contact for privacy complaints regarding process and\n                    procedures, operations, and referrals. Redress is handled separately, as\n                    described below.\n\n                    Processes for Redress for Individuals\n\n                    For redress and correction of their information, the Traveler Redress\n                    Inquiry Program (TRIP) is a single point of contact for individuals who\n                    have inquiries, seek resolution regarding difficulties they experienced\n\n11\n   DHS Privacy Office, Privacy Policy Guidance Memorandum 2007-01, allows complaints from U.S. Citizens and\n\nLawful Permanent Residents, as well as visitors and aliens. (January 19, 2007, amended January 7, 2009.) \n\n12\n   Freedom of Information Act allows the right to request access to federal agency records, except those covered by any \n\nof nine exemptions. See 5 U.S.C. \xc2\xa7 552(b). \n\n\n\n\n                           Transportation Security Administration Privacy Stewardship\n\n                                                       Page 13\n\x0c                   during their travel screening at transportation hubs, or need correction of\n                   misidentifications during a credentialing process or traveler screening at\n                   airports.13 Travel difficulties include being denied or delayed airline\n                   boarding; denied or delayed entry into or exit from the United States; and,\n                   continually referred for additional and secondary security screening. From\n                   July 31, 2007 through July 31, 2008, DHS TRIP received 31,206 redress\n                   requests; 2,100 of which were privacy related.\n\n                   TSA also handles redress for transportation sector workers seeking\n                   credentials under TSA regulations. This population is estimated to exceed\n                   7 million workers and covers populations, such as hazmat drivers and\n                   transportation and airport workers. TSA has established both appeals and\n                   waiver processes, and has received roughly 79,000 requests since\n                   inception.\n\n         Privacy Awareness and Training\n                   DHS Management Directive 0470.2 requires that all employees be made\n                   aware of, and comply with, the Privacy Act. Toward that end, OPPC\n                   implements and monitors privacy awareness and training so that PII\n                   handlers understand risks, their own role in implementing privacy policies,\n                   and ways to mitigate those risks. As Figure 6 indicates, OPPC issues\n                   weekly newsletters, monthly privacy reminders, and posters to promote\n                   privacy awareness.\n\n\n\n\n                   Figure 6. TSA Privacy Initiatives\n                   Source: TSA documentation\n\n\n\n\n13\n   To address concerns about the high incidence of mistakes in the TSA watch lists, in 2004 Congress directed TSA to\ndevelop a prescreening process that would not produce a large number of false positives and would give misidentified\nairline passengers an effective way to correct the information in the database. In 2006, TSA\xe2\x80\x99s Office of Transportation\nSecurity Redress implemented the traveler redress website. The program evolved into the DHS Traveler Redress\nInquiry Program (DHS TRIP) on February 21, 2007. DHS TRIP is managed by TSA and assisted by staff from various\nparticipating components.\n\n\n\n                          Transportation Security Administration Privacy Stewardship\n\n                                                       Page 14\n\x0c     Almost 83% of surveyed employees indicated positive effects of OPPC\xe2\x80\x99s\n     privacy awareness, training, and guidance on their jobs. OPPC sends\n     email reminders to alert employees to general privacy events and issues,\n     posts privacy information on its intranet site for employee reference, and\n     broadcasts messages on specific privacy guidance. TSA employees\n     believe that the \xe2\x80\x9cPrivacy Man\xe2\x80\x9d poster series is twice as effective as email\n     or broadcast messages and recommend continuation of the poster\n     campaign. One program\xe2\x80\x94Secure Flight\xe2\x80\x94has reminders in a section of its\n     internal newsletter, \xe2\x80\x9cThe Privacy Corner.\xe2\x80\x9d Also, OPPC integrated privacy\n     requirements into checklists used by airport and field inspectors.\n\n     OMB M-07-16 requires privacy training for new employees and annual\n     privacy training for all employees. TSA uses standardized privacy\n     materials from the DHS Privacy Office\xe2\x80\x99s \xe2\x80\x9cCulture of Privacy Awareness\xe2\x80\x9d\n     training to meet these requirements. According to OPPC, nearly 100% of\n     employees completed their 2008 privacy training. OPPC receives a\n     monthly report from the TSA Online Learning Center listing employees\n     who have not completed their required privacy training within a month of\n     reaching their annual training threshold. OPPC contacts their supervisors\n     to ensure that employees complete the training.\n\n     OPPC provides special training for program managers, information system\n     security officers, and security officers. Almost 56% of surveyed\n     employees also received advanced or specialized privacy training. Some\n     managers or supervisors give their employees additional privacy training.\n     Other TSA programs, such as Secure Flight, provide training based on\n     roles and operation-specific rules of conduct. In addition to the required\n     DHS Privacy Office\xe2\x80\x99s \xe2\x80\x9cCulture of Privacy Awareness\xe2\x80\x9d training, Secure\n     Flight provides three additional levels of training for its personnel:\n     \xe2\x80\x9cPrivacy in Action\xe2\x80\x9d for Secure Flight managers and employees,\n     reinforcement training, and advanced training.\n\nImprovements to Privacy Effectiveness\n\n     TSA can improve its commitment to privacy effectiveness by having the\n     Office of the Chief Information Officer (OCIO) implement automated\n     privacy-specific tools for testing and monitoring. Further, TSA can\n     implement innovative approaches to provide supplemental and job-\n     specific privacy awareness or training activities.\n\n     Automated Privacy-Specific Tools for Testing and Monitoring\n\n     The Privacy Act requires federal agencies to establish appropriate\n     administrative, technical, and physical safeguards to protect PII against\n\n\n\n          Transportation Security Administration Privacy Stewardship\n\n                                   Page 15\n\x0c                  any anticipated threats or hazards to its security or integrity. Further, the\n                  FIPPs require that TSA protect PII through appropriate security safeguards\n                  against risks such as loss, unauthorized access or use, destruction,\n                  modification, or unintended or inappropriate disclosure. TSA\n                  Management Directive 2100.2 establishes OPPC\xe2\x80\x99s oversight responsibility\n                  for PII and for privacy policy implementation. However, the OCIO is\n                  responsible for securing data, including PII, for all TSA systems and\n                  services. According to DHS Management Directive 0007.1, Information\n                  Technology Integration and Management, OCIO directs timely delivery of\n                  mission information technology (IT) services in direct support of a\n                  component\xe2\x80\x99s mission, goals, objectives, and programs, and provides\n                  management and administration of all component IT resources and assets\n                  to meet mission, department, and enterprise program goals.\n\n                  Because automated privacy tools for testing and monitoring are not\n                  provided by the OCIO, OPPC has been checking periodically for PII data\n                  leakage by performing manual searches on TSA\xe2\x80\x99s file servers that should\n                  not contain PII or should be password-protected to limit access. Data\n                  leakage is the exposure or transmission of PII that permits unauthorized\n                  access or disclosure. PII data was found that should not have been\n                  accessible through the periodic checks. Further, according to TSA, data\n                  spills, unprotected emails of personnel information, and lost folders\n                  containing PII have occurred.\n\n                  Although OPPC implements privacy policies and interacts with personnel,\n                  OCIO cannot electronically monitor privacy behavior continuously and\n                  measure the strength of PII protections. TSA has not purchased tools and\n                  technologies to automate privacy protections because further research and\n                  collaboration by OPPC and OCIO is necessary to identify requirements\n                  and appropriate approaches within the TSA computing environment.\n                  Without privacy-focused measurements and testing, TSA cannot compare\n                  the levels of PII protections across different systems containing PII and\n                  improve overall privacy data protection and monitoring.\n\n                  More Effective Privacy Awareness and Training Are Needed\n\n                  To promote and improve daily awareness of employees\xe2\x80\x99 privacy\n                  responsibilities, OMB M-07-16 recommends that agencies augment\n                  training using creative methods, job-specific communications, and\n                  advanced training commensurate with the employees\xe2\x80\x99 responsibilities.14\n                  According to DHS Action Memorandum, dated May 3, 2007, OPPC is\n                  responsible for implementing and monitoring training for TSA employees\n\n14\n   Office of Management and Budget Memorandum 07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, dated May 22, 2007.\n\n\n\n                        Transportation Security Administration Privacy Stewardship\n\n                                                   Page 16\n\x0c                    in coordination with the DHS Privacy Office. TSA provides required\n                    computer-based annual privacy training for employees and offers\n                    specialized privacy training to groups such as program and security\n                    managers. TSA augments required privacy training through some\n                    awareness activities, such as the \xe2\x80\x9cPrivacy Man\xe2\x80\x9d poster series. However,\n                    OPPC, based on perceived organizational needs, has implemented a\n                    limited scaled privacy awareness campaign.15 Secure Flight works with\n                    OPPC to improve program-level understanding of how to integrate\n                    privacy requirements into its operations.\n\n                    However, out of 875 survey responses that provided written comments,\n                    469 employees wanted improvements in privacy awareness and training.\n                    These improvements, illustrated in Figure 7, address five categories: vary\n                    delivery method of privacy training (26%); provide more job-specific\n                    privacy training (17%); develop more privacy awareness activities (26%);\n                    increase frequency of privacy training (26%); and, improve\n                    communication of privacy requirements (5%).\n\n\n                                        5%\n                                                                        Vary delivery method of\n                              17%                      26%\n                                                                        privacy training\n                                                                        Provide more job-specific\n                                                                        privacy training\n                                                                        Develop more privacy\n                                                                        awareness activities\n                                                                        Increase frequency of\n                                                                        privacy training\n                              26%                                       Improve communication\n                                                     26%                of privacy requirements\n\n\n\n\n                    Figure 7. Improvements for Privacy Awareness and Training\n                    Source: OIG analysis\n\n\n                    TSA relies on computer-based privacy training from the DHS Privacy\n                    Office to meet the Privacy Act annual training requirement. The primary\n                    delivery methods for TSA\xe2\x80\x99s privacy communications and policies are also\n                    electronic. However, the computerized delivery method does not meet the\n                    unique needs of the TSA workforce. TSA has a large workforce spread\n                    over a wide geographical area, and an estimated 80% of employees have\n                    limited access to computers. The computerized delivery may limit the\n                    overall effectiveness of the training.\n\n\n\n\n15\n   A comprehensive privacy awareness campaign could include privacy awareness week; privacy cleanup day; training\nclasses tailored for specific privacy needs; privacy events; email advisories; newsletters; periodicals, intranet privacy\ndaily news; posters; do and don\xe2\x80\x99t lists; warning banners/messages; and reward programs that include privacy letters of\nappreciation.\n\n\n\n                           Transportation Security Administration Privacy Stewardship\n\n                                                        Page 17\n\x0cExtending beyond the control of OPPC, organizational commitment,\ncollaboration, and resources are necessary to implement a large-scale,\ninnovative privacy awareness and training program. According to 74% of\nsurveyed employees, TSA needs more frequent and effective privacy\nawareness, job-specific training, and privacy communications. TSA\nemployees need to be continually reminded of the importance in\nprotecting PII and preventing privacy incidents.\n\nRecommendations\n       We recommend that the TSA Administrator:\n\n       Recommendation #1: Direct the Office of the Chief Information\n       Officer to implement automated privacy-specific tools for testing\n       and monitoring.\n\n       Recommendation #2: Implement approaches to provide\n       supplemental and job-specific privacy awareness or training\n       activities for the TSA workforce.\n\nManagement Comments and OIG Analysis\n       We obtained written comments on a draft of this report from the\n       TSA Acting Administrator. We have included a copy of the\n       comments in appendix B.\n\n       The Acting Administrator concurred with our findings and\n       recommendations. We consider our recommendations resolved,\n       but open pending our review of actions taken by TSA.\n\n\n\n\n     Transportation Security Administration Privacy Stewardship\n\n                              Page 18\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                   Our objective was to determine whether TSA\xe2\x80\x99s plans and activities\n                   instill and promote a privacy culture and comply with federal privacy\n                   laws and regulations. As background for this audit, we researched and\n                   reviewed federal guidance and laws related to TSA\xe2\x80\x99s responsibilities\n                   for privacy protections. We reviewed testimonies, TSA\n                   documentation, and reports related to TSA\xe2\x80\x99s privacy, information\n                   technology security, and program management.\n\n                   We interviewed officials from the DHS Office of the Chief\n                   Information Officer and the DHS Privacy Office. With the latter, we\n                   discussed its implementation of the DHS Privacy Framework and\n                   duties for component privacy officers. In addition to interviewing\n                   TSA\xe2\x80\x99s Office of Privacy Policy and Compliance and chief\n                   information security officer, we interviewed more than 65 program\n                   managers and information system security professionals at TSA\n                   headquarters and field sites regarding privacy activities. We surveyed\n                   2,285 TSA employees on their knowledge of the Privacy Act, PII\n                   handling, privacy incident response, and privacy stewardship. Of this\n                   survey group, 875 employees offered written comments on the status,\n                   issues, suggestions, or challenges in TSA privacy stewardship. (See\n                   appendix G.)\n\n                   We selected a sample of 16 systems (that support 10 programs) from\n                   a total of 75 systems that handle personally identifiable information.\n                   We reviewed technical information, system security documentation,\n                   architectures, financial justifications, privacy impact assessments,\n                   system of records notices, application of the Fair Information Practice\n                   Principles, and TSA and program-level application of privacy\n                   policies.\n\n                   Our analysis is based on direct observation, review of applicable\n                   documentation, and interviews. We conducted this performance audit\n                   between August 2008 and May 2009 in accordance with generally\n                   accepted government auditing standards. The standards require that\n                   we plan and perform the audit to obtain sufficient, appropriate\n                   evidence to provide a reasonable basis for our findings and\n                   conclusions based on our audit objectives. We believe that the\n                   evidence obtained provides a reasonable basis for our findings and\n                   conclusions based on our audit objectives.\n\n                   The principal OIG points of contact for the audit are Frank Deffer,\n                   Assistant Inspector General for Information Technology Audits at\n                   (202) 254-4041, and Marj Leaming, Director, System Privacy\n                   Division at (202) 254-4172. Major OIG contributors to the audit are\n                   identified in appendix I.\n\n\n\n                 Transportation Security Administration Privacy Stewardship\n\n                                          Page 19\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Transportation Security Administration Privacy Stewardship \n\n\n                                         Page 20\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Transportation Security Administration Privacy Stewardship \n\n\n                                         Page 21\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Transportation Security Administration Privacy Stewardship \n\n\n                                         Page 22\n\n\x0cAppendix C\nPrograms Reviewed During This Audit\n\n Program Name & Mission              Privacy Impact Assessment               System of Records Notice\n                                  THREAT ASSESSMENT & CREDENTIALING\nAlien Flight Student Program          Transportation Security                 Transportation Security Threat\n(AFSP)                                Administration's Alien Flight           Assessment System DHS/TSA\nConduct the security threat           Student Program (Amended),              002, November 8, 2005, 70 FR\nassessments of alien flight           December 22, 2006                       33383\nstudents\nCrew Vetting Program (CVP)            Crew Vetting Program, July 28,          Transportation Security Threat\nConduct security threat               2004                                    Assessment System DHS/TSA\nassessments of airline crew                                                   002, November 8, 2005, 70 FR\nmembers                                                                       33383\nHazardous Material                    TSA Hazardous Materials                 Transportation Security Threat\nFingerprints (HAZPRINT)               Endorsement, Amendment,                 Assessment System DHS/TSA\nPerform threat assessments of         September 16, 2005                      002, November 8, 2005, 70 FR\nhazardous material drivers                                                    33383\nSecure Flight (SF)                    Transportation Security                 Secure Flight Records DHS/TSA\nMatch identifying information of      Administration's Secure Flight          019, November 9, 2007, 72 FR\naviation travelers against the        Program, October 21, 2008               63711\nterrorist watch list\nTransportation Worker                 Transportation Security                 Transportation Security Threat\nIdentification Credential             Administration's Transportation         Assessment System DHS/TSA\n(TWIC)                                Worker Identification Credential        002, November 8, 2005, 70 FR\nProvide a biometric credential to Program Final Rule, October 5,              33383\nconfirm national transportation       2007\nsystem worker identity\nIndirect Air Carrier                  Air Cargo Security Requirements,        Transportation Security Threat\nManagement System (IACMS)             November 12, 2008                       Assessment System DHS/TSA\nScreen cargo transported                                                      002, November 8, 2005, 70 FR\naboard passenger aircraft                                                     33383\nKnown Shipper Management              Air Cargo Security Requirements,        Transportation Security Threat\nSystem (KSMS)                         November 12, 2008                       Assessment System DHS/TSA\nScreen cargo transported                                                      002, November 8, 2005, 70 FR\naboard passenger aircraft                                                     33383\n                                              LAW ENFORCEMENT\nFederal Flight Deck Officer           Transportation Security                 Federal Flight Deck Officer\nDashboard (FFDO)                      Administration\xe2\x80\x99s Federal Flight         Record System DHS/TSA 013,\nDeputize volunteer aircraft           Deck Officer Program, January 10,       August 18, 2003, 68 FR 49496\npersonnel to defend the flight        2008\ndeck against acts of criminal\nviolence or air piracy\nTactical Information Sharing          Transportation Security                 Transportation Security Threat\nSystem (TISS)                         Administration's Tactical               Assessment System DHS/TSA\nShare transportation security         Information Sharing System, June        002, November 8, 2005, 70 FR\nintelligence with federal, state,     1, 2008                                 33383\nand local law enforcement\n                                                     REDRESS\nTraveler Redress Inquiry              The Department of Homeland              Department of Homeland Security\nProgram (TRIP)                        Security Traveler Redress Inquiry       Redress and Response Records\nProvide a one-stop mechanism          Program, January 18, 2007               System DHS/ALL-005, January\nfor individual redress                                                        18, 2007, 72 FR 2294\nSource: The DHS Privacy Office at http://www.dhs.gov/xabout/structure/editorial_0338.shtm. This page, which was\nlast reviewed/modified on March 12, 2009, has the TSA Privacy Impact Assessments and System of Records Notices.\nThe program missions are found in the respective Privacy Impact Assessments.\n\n\n\n\n                         Transportation Security Administration Privacy Stewardship \n\n\n                                                   Page 23\n\n\x0cAppendix D\nCross Reference of DHS Privacy Framework With Component Privacy Officer\nDuties\n\n                         DHS PRIVACY FRAMEWORK \xe2\x80\x93 FUNCTIONAL AREAS\n                            ORGANIZATIONAL COMMITMENT TO PRIVACY\n                    Establish organizational oversight and implement privacy activities.\n\n    -   Responsible for effectively communicating, in coordination with the DHS Privacy Office, privacy\n        initiatives associated with TSA with a variety of internal and external constituents, including the\n        media, industry stakeholders, various offices within DHS and other federal agencies.\n    -   Serve as the Chief Privacy Officer\xe2\x80\x99s main point of contact at TSA to implement the policies and\n        directives of the DHS Privacy Office in carrying out Section 222 of the Homeland Security Act of\n        2002, as amended.\n\n                              POLICIES FOR PROPER HANDLING OF PII\n                           Define and promote privacy policies and procedures.\n\n    -   Identify privacy issues related to TSA and apply appropriate privacy policies in accordance with\n        federal privacy laws, and DHS and TSA policies developed to ensure that TSA protects the privacy\n        of individuals affected by its activities.\n\n                              PRIVACY COMPLIANCE MANAGEMENT\n  Implement tools and processes for privacy compliance (including reporting requirements, privacy impact\n     assessments, systems of records notice, privacy incident handling, and privacy rules of conduct).\n\n    -   Assist in draft and review PTAs, PIAs, and SORNs, as well as any associated privacy\n        documentation, as dictated by DHS Privacy Office policy and required by law, including the\n        Privacy Act of 1974, the E-Government Act of 2002, and the Homeland Security Act of 2002.\n    -   Provide oversight on the collection, use, dissemination, and maintenance of PII at TSA.\n    -   Serve as TSA\xe2\x80\x99s privacy point of contact to handle privacy incident responses as defined in the DHS\n        Privacy Office\xe2\x80\x99s Privacy Incident Handling Guide for all TSA disclosures involving PII.\n    -   Provide to the DHS Privacy Office information related to privacy, in coordination with the TSA\n        information system security manager necessary for the quarterly and annual FISMA reporting\n    -   Monitor TSA\xe2\x80\x99s compliance with all applicable federal privacy laws and regulations, implement\n        corrective, remedial, and preventive actions and notify the DHS Privacy Office of privacy issues or\n        any non-compliance, whenever necessary.\n\n                      NOTICE, COMPLAINTS, AND REDRESS FOR INDIVIDUALS\n                  Establish processes for notices, complaints, and redress for individuals.\n\n    -    Provide oversight on the collection, use, dissemination, and maintenance of PII at TSA.\n\n                                PRIVACY AWARENESS AND TRAINING\n                   Support privacy requirements through privacy awareness and training.\n\n    -    Implement and monitor training for TSA employees in coordination with the DHS Privacy Office.\n\nSource for Component Privacy Officer Duties: DHS Privacy Office Action Memorandum, Designation of Component\nLevel Privacy Officers, May 3, 2007. (OIG applied to TSA.)\n\n\n\n\n                        Transportation Security Administration Privacy Stewardship\n\n                                                  Page 24\n\x0c    Appendix E\n    Cross Reference of DHS Privacy Framework With Criteria Applied to TSA\n    Privacy Stewardship\n\n    As part of its privacy framework, the DHS Privacy Office identified five functional areas\n    necessary for component privacy officers to promote a culture of privacy. As part of the\n    TSA Privacy Stewardship audit, OIG applied criteria to TSA\xe2\x80\x99s functional areas as\n    described below.\n\n                             DHS PRIVACY FRAMEWORK \xe2\x80\x93 FUNCTIONAL AREAS\n                                   ORGANIZATIONAL COMMITMENT TO PRIVACY\n                          Establish organizational oversight and implement privacy activities.\n-     TSA Management Directive 2100.2, Privacy and Information Collection Policy (establish OPPC oversight for PII\n      and privacy implementation)\n-     TSA Management Directive 3700.4, Handling Sensitive Personally Identifiable Information (establish OPPC\n      responsibility for privacy management in compliance with federal privacy laws, directives, and the FIPPs)\n-     DHS Privacy Office Action Memorandum, Designation of Component Level Privacy Officers, May 3, 2007\n      (organizational oversight of PII)\n-     DHS Management Directive 0470.2, Privacy Act Compliance (privacy compliance and awareness)\n-     OMB M-05-08, Designation of Senior Agency Officials for Privacy\n-     OMB Circular A-130, Management of Federal Information Resources (privacy management)\n-     Privacy Act of 1974 (establish safeguards to protect PII)\n-     Fair Information Practice Principles (accountability, auditing, security)\n                                     POLICIES FOR PROPER HANDLING OF PII\n                                  Define and promote privacy policies and procedures.\n-     TSA Management Directive 3700.4, Handling Sensitive Personally Identifiable Information (establish policies and\n      procedures for privacy compliance)\n-     DHS 4300A, Sensitive Systems Handbook (privacy statement at publicly accessible entry)\n-     DHS Privacy Office Action Memorandum, Designation of Component Level Privacy Officers, May 3, 2007\n      (implement privacy laws, policies, and directives)\n-     OMB M-06-15, Safeguarding Personally Identifiable Information (establish safeguards to protect PII)\n-     OMB M-06-19, Reporting Incidents Involved Personally Identifiable Information and Incorporating the Cost for\n      Security in Agency Information Technology Investments\n-     OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (privacy\n      rules of conduct)\n-     Privacy Act of 1974 (establish safeguards to protect PII)\n-     Fair Information Practice Principles (PII purpose, use limitation, security)\n                                        PRIVACY COMPLIANCE MANAGEMENT\n     Implement tools and processes for privacy compliance (including reporting requirements, privacy impact\n          assessment, system of records notice, privacy incident handling, and privacy rules of conduct).\n-     TSA Management Directive 2100.2, Privacy and Information Collection Policy (privacy impact assessment, system\n      of records notice)\n-     TSA Management Directive 3700.4, Handling Sensitive Personally Identifiable Information (handling sensitive PII,\n      privacy incident handling, employee responsibility)\n-     DHS Privacy Office, Privacy Incident Handling Guidance\n-     DHS Management Directive 0470.2, Privacy Act Compliance (privacy compliance and awareness)\n-     DHS Privacy Office Action Memorandum, Designation of Component Level Privacy Officers, May 3, 2007 (privacy\n      incident response)\n-     OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act (post website\n      privacy notices, privacy impact assessments)\n-     OMB M-06-15, Safeguarding Personally Identifiable Information (privacy rules of conduct)\n-     OMB M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency\n      Privacy Management (reporting compliance)\n-     OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (privacy\n      rules of conduct)\n-     OMB Circular A-130, Management of Federal Information Resources (privacy reporting)\n-     Privacy Act of 1974 (privacy rules of conduct, system of records notice, establish safeguards to protect PII)\n-     E-Government Act of 2002 (post website privacy notices, privacy impact assessments, electronic inventory of PII)\n\n\n\n\n                            Transportation Security Administration Privacy Stewardship \n\n\n                                                        Page 25\n\n\x0c    Appendix E\n    Cross Reference of DHS Privacy Framework With Criteria Applied to TSA\n    Privacy Stewardship (continued)\n-    Federal Information Security Management Act of 2002 (agency-wide information security program)\n-    Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007 (privacy reporting\n     requirements)\n-    Fair Information Practice Principles (accountability, auditing, security)\n                           NOTICE, COMPLAINTS, AND REDRESS FOR INDIVIDUALS\n                       Establish processes for notices, complaints, and redress for individuals.\n-    DHS 4300A, Sensitive Systems Handbook (privacy statement at publicly accessible entry)\n-    OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (notice)\n-    OMB Circular A-130, Management of Federal Information Resources (complaints, redress)\n-    Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007 (reporting complaints,\n     redress)\n-    Privacy Act of 1974 (notices, complaints, redress)\n-    Fair Information Practice Principles (notices, complaints, redress)\n                                      PRIVACY AWARENESS AND TRAINING\n                       Support privacy requirements through privacy awareness and training.\n-    TSA Management Directive 3700.4, Handling Sensitive Personally Identifiable Information (employee compliance\n     with Privacy Act, DHS, and TSA privacy policies)\n-    DHS Privacy Office Action Memorandum, Designation of Component Level Privacy Officers, May 3, 2007 (monitor\n     privacy training)\n-    DHS Management Directive 0470.2, Privacy Act Compliance (privacy compliance and awareness)\n-    OMB M-06-15, Safeguarding Personally Identifiable Information (privacy training)\n-    OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (privacy\n     training and awareness)\n-    Privacy Act of 1974 (privacy rules of conduct)\n-    Fair Information Practice Principles (accountability, training)\n  Source: DHS Privacy Office (OIG added criteria as applied to TSA\xe2\x80\x99s privacy efforts.)\n\n\n\n\n                          Transportation Security Administration Privacy Stewardship\n\n                                                     Page 26\n\x0cAppendix F\nFair Information Practice Principles\n\nThe DHS Privacy Office, Privacy Policy Guidance Memorandum Number: 2008-01,\nDecember 29, 2008, adopted the Fair Information Practice Principles as its privacy policy\nframework for application by DHS programs and activities. The following are the eight\nspecific principles that guide privacy policy.\n\n                         THE FAIR INFORMATION PRACTICE PRINCIPLES\n\n  Transparency: DHS should be transparent and provide notice to the individual regarding its\n  collection, use, dissemination, and maintenance of personally identifiable information (PII).\n\n\n  Individual Participation: DHS should involve the individual in the process of using PII and, to\n  the extent practicable, seek individual consent for the collection, use, dissemination, and\n  maintenance of PII. DHS should also provide mechanisms for appropriate access, correction,\n  and redress regarding DHS use of PII.\n\n\n  Purpose Specification: DHS should specifically articulate the authority that permits the\n  collection of PII and specifically articulate the purpose or purposes for which the PII is\n  intended to be used.\n\n\n  Data Minimization: DHS should collect only PII that is directly relevant and necessary to\n  accomplish the specified purpose(s) and retain PII only for as long as is necessary to fulfill the\n  specified purpose(s).\n\n\n  Use Limitation: DHS should use PII solely for the purpose(s) specified in the notice. Sharing\n  PII outside the department should be for a purpose compatible with the purpose for which the\n  PII was collected.\n\n\n  Data Quality and Integrity: DHS should, to the extent practicable, ensure that PII is accurate,\n  relevant, timely, and complete.\n\n\n  Security: DHS should protect PII (in all media) through appropriate security safeguards\n  against risks such as loss, unauthorized access or use, destruction, modification, or\n  unintended or inappropriate disclosure.\n\n\n  Accountability and Auditing: DHS should be accountable for complying with these principles,\n  providing training to all employees and contractors who use PII, and auditing the actual use of\n  PII to demonstrate compliance with these principles and all applicable privacy protection\n  requirements.\n\n\n\n\n                      Transportation Security Administration Privacy Stewardship \n\n\n                                               Page 27\n\n\x0cAppendix G\nTSA Culture of Privacy Survey\n\nFrom November through December 2008, we surveyed TSA personnel to determine their\nlevel of privacy awareness and knowledge and to obtain recommendations for improving\nprivacy management. We developed the privacy questionnaire with OPPC\xe2\x80\x99s involvement\nto ensure compatibility with TSA\xe2\x80\x99s existing privacy culture. TSA personnel were\nemailed a link to a secure site to complete an online privacy questionnaire. All 2,285\nresponses were confidential, and results were accessible only by the OIG. The portion of\nthe survey that addressed knowledge of privacy was derived from, but not limited to, the\ncriteria in appendix E.\n\n              DEMOGRAPHICS OF PARTICIPANTS OF TSA CULTURE SURVEY\nLevel of Job Responsibility\n     -   Entry-level employees (27.3%)\n     -   Mid to high-level (non-manager) employees (40.7%)\n     -   Supervisors/managers (32.0%)\nLocation\n     -   Headquarters (8.1%)\n     -   Field offices (70.1%)\n     -   Operation centers (4.2%)\n     -   Other (17.6%)\nLength of Service\n     -   Less than 3 months (2.8%)\n     -   3\xe2\x80\x9312 months (9.3%)\n     -   1\xe2\x80\x933 years (13.6%)\n     -   More than 3 years (74.3%)\nSource: OIG Culture of Privacy Survey\n\n\nTSA personnel provided 875 additional written comments regarding privacy awareness\nand training, privacy accountability and enforcement, understanding privacy policy,\ninternal privacy communications, privacy stewardship, and culture of privacy. The\nfollowing figure summarizes these results.\n\n                                 Culture of Privacy Survey Results\n\n\n                                                                     Privacy Awareness and\n                                14%                                  Training\n                                         3%\n                   12%                                               Privacy Accountability and\n                                            6%                       Enforcement\n                                                                     Understanding Privacy Policy\n                                              11%\n                                                                     Internal Privacy\n                                                                     Communications\n                                                                     Privacy Stewardship\n\n                         54%                                         Culture of Privacy\n\n\n\nSource: OIG Culture of Privacy Survey\n\n\n\n\n                         Transportation Security Administration Privacy Stewardship\n\n                                                    Page 28\n\x0cAppendix H\nLaws, Regulations, Directives, and Guidance Related to TSA Privacy Stewardship\n\n                                           LEGISLATION\n\n\nPrivacy Act of 1974, 5 U.S.C. \xc2\xa7 552a. (1974). http://www.opm.gov/feddata/USC552a.txt\n\nE-Government Act of 2002, Public Law 107-347, 44 U.S.C. Ch 36. (2002).\nhttp://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107\n\nFederal Information Security Management Act of 2002 (FISMA), 44 U.S.C. \xc2\xa7 3541, et seq. (2002).\nhttp://csrc.nist.gov/drivers/documents/FISMA-final.pdf\n\nImplementing Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53, 121 Stat. 266,\n360. (2007). http://www.nctc.gov/docs/ir-of-the-9-11-comm-act-of-2007.pdf\n\n                                        OMB MEMORANDA \n\n\nOMB M-06-20: FY 2006 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management. (July 17, 2006).\nhttp://www.whitehouse.gov/omb/memoranda/fy2006/m06-20.pdf\n\nOMB M-07-16: Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation. (May 22, 2007). http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf\n\n                                  DIRECTIVES AND GUIDANCE \n\n\nDHS Management Directive Number 0470.2: Privacy Act Compliance. (October 6, 2005). (No external\nlink.)\n\nDHS 4300A: Sensitive Systems Handbook. (July 2009). (No external link.)\n\nDHS Privacy Office: Privacy Incident Handling Guidance. (September 10, 2007).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_pihg.pdf\n\nDHS Privacy Office Action Memorandum: Designation of Component Level Privacy Officers. (May 3,\n2007). (No external link.)\n\nDHS Privacy Policy Guidance Memorandum Number 2008-01: The Fair Information Practice\nPrinciples: Framework for Privacy Policy at the Department of Homeland Security. (December 29, 2008).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf\n\nTSA Management Directive Number 3700.4: Handling Sensitive Personally Identifiable Information.\n(December 9, 2008). (No external link.)\n\nTSA Management Directive Number 2100.2: Privacy and Information Collection Policy. (July 25,\n2005). (No external link.)\n\n\n\n\n                       Transportation Security Administration Privacy Stewardship\n\n                                                Page 29\n\x0cAppendix I\nMajor Contributors to This Report\n\n                   System Privacy Division\n\n                   Marj Leaming, Director\n                   Eun Suk Lee, Lead Privacy Auditor\n                   Philip Greene, System Privacy Auditor\n                   Cory Missimore, Privacy Specialist\n                   Zach Miller, Management and Program Assistant\n\n                   Shannon Frenyea, Referencer\n\n\n\n\n                 Transportation Security Administration Privacy Stewardship\n\n                                          Page 30\n\x0cAppendix J\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff for Operations\n                      Chief of Staff for Policy\n                      Deputy Chiefs of Staff\n                      Acting General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Administrator for Transportation Security Administration\n                      Transportation Security Administration Audit Liaison\n                      Chief Privacy Officer\n                      Officer for Civil Rights and Civil Liberties\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                  Transportation Security Administration Privacy Stewardship \n\n\n                                           Page 31\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"